1 Reply by willds

(8 replies, posted in Chillispot Configuration)

Let me just say first off that I'm not a ChilliSpot expert, but I've been using the system for about 2 years now.  Hopefully my input is helpful.

I see your firewall script is the default included with ChilliSpot, except for the PREROUTING lines.  These make sense since you're running your web server on port 8080.  As far as I can tell, this configuration should be preventing all but authenticated users from gaining access.  That is unless there's an issue with your FreeRADIUS configuration.  I know this sounds obvious, but have you tried authenticating from a test client with a bad username and/or password, to check this part of the setup?

One possibility is that your uamsecret password is insecure.  Is it shorter than 16 characters or does it include dictionary words?  This part of a ChilliSpot setup is open to a dictionary attack with an insecure uamsecret password, due to the nature of the CHAP protocol.  (See the ChilliSpot FAQ entry: "http://www.chillispot.info/FAQ.html#mozTocId967226".)  Also, if this password is as short as 6 characters, even if random, it can easily be brute-forced.  It's possible this unauthenticated user has used a dictionary or brute-force attack to determine this password and gain access.  This is just a guess.  I'd recommend using a password greater than 16 characters and preferably random, if you're not already.

Another possibility that came to mind does involve the firewall.  Is your firewall script set up to run on server startup, or do you have to run it manually?  If the latter, it's possible your firewall has opened up due to a server reboot.  Many Linux distros have a default iptables policy that allows all traffic through on the INPUT, OUTPUT & FORWARD chains, and this would be in effect in that case.

Good luck with tracking this down.


Does anyone else see a problem with this configuration that could have let an unauthorized user through?  Another set of eyes would be helpful.

Regards,

Will

Go to forum: Chillispot Configuration

2 Topic by willds

(1 replies, posted in Chillispot Configuration)

I was under the impression that ChilliSpot controls access via the tun0 interface, and allows connections on all ports through for authenticated users.  However, my authenticated users cannot access FTP.  Would this be a firewall issue, and if so could someone recommend what rule(s) I need to add to allow FTP for authenticated users.  HTTP & HTTPS works fine for these users.  Thanks for any comments.

My iptables firewall script is below.


IPTABLES="/usr/sbin/iptables"
EXTIF="eth0"
INTIF="eth1"

# Flush (Delete) any previous rules (all default tables):

#Flush the 'filter' table
$IPTABLES -F -t filter
#Flush the 'nat' table
$IPTABLES -F -t nat
#Flush the 'mangle' table
$IPTABLES -F -t mangle
#Flush the 'raw' table
$IPTABLES -F -t raw

# Default policies ('filter' table)
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Append the following rules to the 'filter' (default) table:

# Allow related and established on all interfaces (input).
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow SSH (on custom port: 49155) on external interface $EXTIF
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 49155 --syn -j ACCEPT
# Allow HTTP on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 80 --syn -j ACCEPT
# Allow HTTPS on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp --dport 443 --syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp -m udp --dport 443 -j ACCEPT
# Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -j REJECT

# Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP

# Allow HTTP and HTTPS on ChilliSpot VLAN (tun0) (This traffic terminates at
#   the Apache web server.):
# Allow HTTP on ChilliSpot VLAN (tun0)
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
# Allow HTTPS on ChilliSpot VLAN (tun0)
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --syn -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 443 -j ACCEPT
# Allow HTTP on 3990 (ChilliSpot web server's custom port) on ChilliSpot VLAN
#   (tun0)
$IPTABLES -A INPUT -p tcp -m tcp --dport 3990 --syn -j ACCEPT
# Allow SSH on ChilliSpot VLAN (tun0) (on custom port: 49155), for testing.
$IPTABLES -A INPUT -p tcp -m tcp --dport 49155 --syn -j ACCEPT
# Allow unauthenticated users, on the ChilliSpot VLAN (tun0), to ping the server.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow everything on loopback interface (127.0.0.1).
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
#   ChilliSpot NOTE: This means that access points can only be managed from
#     ChilliSpot.
# Lock down rules - All forwarding goes through ChilliSpot. This allows it to
#   control user's access to the Net via its VLAN.
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

# Append the following rule to the 'nat' table:

# Enable NAT on output device
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# Enable IP Forwarding in the Kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

Go to forum: Chillispot Configuration